From: | Ken Raeburn <raeburn@MIT.EDU> |
Subject: | gsstest doesn't like krb5-1.6 GSSAPI library |
Date: | Wed, 21 Feb 2007 22:51:35 -0500 |
To: | krb5-bugs@MIT.EDU |
I'm playing with gsstest-1.26 (the latest on the SAP FTP site, though
I've seen mentions on the net of a 1.27 which I haven't tracked down)
and the 1.6 branch.
First problem: gss_canonicalize_name returns a name that will be
rejected by gss_release_name in the mechglue code because the
"loopback" field is not set properly. With that problem quickly
hacked around, it's still reporting three problem cases:
TEST: acquiring *default* accepting credentials (simple)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)
It looks like acquiring the default acceptor credentials doesn't
produce an error, but calling gss_inquire_cred on the result to get a
name out does, because internally it tries to import an empty name.
(Acquiring the acceptor credentials by name was a previous test, and
worked fine.)
TEST: acquiring *default* accepting credentials (query)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)
The "query" version of this test looks at the name in the acquired
credentials, plays some games with exporting and importing and
canonicalizing the name, then tries to acquire credentials using the
resulting name.
TEST: Trying gss_import_name() with ""
Status: gss_import_name() == (GSS_S_CALL_INACCESSIBLE_READ|
GSS_S_BAD_NAME)
gss_display_status(0x01020000,GSS_S_GSS_CODE) =
"A required input parameter could not be read"
"An invalid name was supplied"
ERROR: gss_import_name() didn't return GSS_S_BAD_NAME or GSS_S_FAILURE!
RESULT NOT ok (rc=1)
The test program uses an empty string, not a null or invalid pointer,
so INACCESSIBLE_READ is probably incorrect.
Ken
I've seen mentions on the net of a 1.27 which I haven't tracked down)
and the 1.6 branch.
First problem: gss_canonicalize_name returns a name that will be
rejected by gss_release_name in the mechglue code because the
"loopback" field is not set properly. With that problem quickly
hacked around, it's still reporting three problem cases:
TEST: acquiring *default* accepting credentials (simple)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)
It looks like acquiring the default acceptor credentials doesn't
produce an error, but calling gss_inquire_cred on the result to get a
name out does, because internally it tries to import an empty name.
(Acquiring the acceptor credentials by name was a previous test, and
worked fine.)
TEST: acquiring *default* accepting credentials (query)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)
The "query" version of this test looks at the name in the acquired
credentials, plays some games with exporting and importing and
canonicalizing the name, then tries to acquire credentials using the
resulting name.
TEST: Trying gss_import_name() with ""
Status: gss_import_name() == (GSS_S_CALL_INACCESSIBLE_READ|
GSS_S_BAD_NAME)
gss_display_status(0x01020000,GSS_S_GSS_CODE) =
"A required input parameter could not be read"
"An invalid name was supplied"
ERROR: gss_import_name() didn't return GSS_S_BAD_NAME or GSS_S_FAILURE!
RESULT NOT ok (rc=1)
The test program uses an empty string, not a null or invalid pointer,
so INACCESSIBLE_READ is probably incorrect.
Ken